CVSS: 5.3EPSS: 31%CPEs: 1EXPL: 2CVE-2020-11453 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11453
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product **DISPUTA** Microstrategy Web versión 10.4, es vulnerable a un ataque de tipo Server-Side Request Forgery en la funcionalidad Test Web Service expuesta por medio de la ruta /MicroStrategyWS/. La funcionalidad no requiere autenticación y, aunque no es posible pasar parámetros en la petición SSRF, aún es posible explotarla para conducir un escaneo de puertos. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 2CVE-2020-11452 – MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution
https://notcve.org/view.php?id=CVE-2020-11452
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. Microstrategy Web versión 10.4, incluye una funcionalidad que permite a usuarios importar archivos o datos desde recursos externos como una URL o bases de datos. Al proporcionar una URL externa bajo el control del atacante, es posible enviar peticiones hacia recursos externos (también se conoce como SSRF) o filtrar archivos desde el sistema local usando el empaquetado de trasmisión de datos de file://. MicroStrategy Intelligence Server and Web version 10.4 suffers from remote code execution, cross site scripting, server-side request forgery, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html http://seclists.org/fulldisclosure/2020/Apr/1 https://community.microstrategy.com/s/article/Web-Services-Security-Vulnerability https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18957
https://notcve.org/view.php?id=CVE-2019-18957
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS. Microstrategy Library en MicroStrategy antes del 2019 versiones anteriores a la versión 11.1.3, tiene una vulnerabilidad de tipo XSS reflejado. • http://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Nov/4 https://seclists.org/bugtraq/2019/Nov/23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12453
https://notcve.org/view.php?id=CVE-2019-12453
In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation. En MicroStrategy Web anterior a versión 10.1 parche 10, un problema de tipo XSS almacenado es posible en el parámetro FLTB debido a la falta de comprobación de entrada. • https://github.com/undefinedmode/CVE-2019-12453 http://www.microstrategy.com/producthelp/10.10/Readme/content/web.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12475
https://notcve.org/view.php?id=CVE-2019-12475
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation. En MicroStrategy Web en versiones anteriores a la 10.4.6, hay en la métrica un Cross-Site Scripting (XSS) debido a una validación de entrada insuficiente. • https://github.com/undefinedmode/CVE-2019-12475 https://community.microstrategy.com/s/article/Defects-and-Enhancements-Addressed-in-MicroStrategy-10-4-6-Secure-Enterprise-Platform?language=en_US • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •